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ABSTRACT 



A system and method are disclosed for authenticating users 
and services communicating over an insecure network. Each 
user and service has a pass-phrase used for authentication. 
However, the pass-phrases are not revealed during the 
authentication process as challenge-response techniques are 
used to keep the pass-phrase secret. In addition, the users 
and services do not need to know nor do they learn each 
other's pass-phrases making the process usefuil in a distrib- 
uted environment. Pass-phrases are known by an authenti- 
cation entity with which the service communicates to 
authenticate both users and services. Users may have iden- 
tities in and services may support a number of realms, each 
of which may be viewed as large collection of users (e.g., 
CompuServe.com). Users choose the realm in which they 
would like to be authenticated. In one embodiment of the 
present invention, the system and method are adapted for use 
with the HyperText Transfer Protocol of the World Wide 
Web so that secure transactions may be accomplished 
between users and services communicating via the Inlemel. 

9 Claims, 3 Drawing Sheets 
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SYSTEM FOR REMOTE PASS-PHASE 
AUTHENTICATION 

This application is a continualion of application Scr. No. 
08/656,936 filed Jun. 3, 1996 now U.S. Pat No. 5.740.361. 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to authentication of com- 
puter users and services in distributed environments. 
Particularly, the present invention relates to a Remote Pass- 
phrase Authentication scheme that provides a way to authen- 
ticate users and services using a pass-phrase over a computer 
network without revealing the pass-phrase. 

2. Description of the Related Art 

The importance of secure communication is increasing as 
world-wide networks such as the Internet and the World 
Wide Web (WWW) portion of the Internet expand. As global 
networks expand through the interconnection of existing 
networks, users may gain access to an unprecedented num- 
ber of services. The services, each of wtiich may be main- 
tained by a different provider, give users access to academic, 
business, consumer, government, etc. information. Service 
providers are now able to make their services available to an 
ever-expanding user base. 

The ease with which services and users are able to find 
each other and the convenience associated with on-line 
transactions is leading to all increase in the number of 
remote business and related transactions. However, users 
and services are not always certain who or what is at the 
other end of a transaction. Therefore, before they engage in 
business and other transactions, users and services want and 
need reassurance that each entity with whom they commu- 
nicate is who or what it purports to be. For example, users 
will not be willing to make on-line purchases that require 
them to reveal their credit card numbers unless they are 
confident that the service with which they are communicat- 
ing is in fact the service they wanted to access. Commercial 
and other private entities who provide on-line services may 
be more reluctant than individuals to conduct business 
on-line unless they are confident the communication is with 
the desired individual or service. 

Both users and services need reassurance that neither will 
compromise the integrity of the other nor that confidential 
information will be revealed unintentionally to third parties 
while communications are occurring. Security in a global 
network, however, may be difficult to achieve for several 
reasons. First, the connections between remote users and 
services are dynamic. With the use of portable devices, users 
may change their remote physical locations frequently. The 
individual networks that comprise the global networks have 
many entry and exit points. Also, packet switching tech- 
niques used in global networks result in numerous dynamic 
paths that are established between participating entities in 
order to achieve reliable communication between two par- 
ties. Finally, communication is often accomplished via 
inherently insecure facilities such as the public telephone 
network and many private communication facilities. Secure 
communication is diflSculi to achieve in such distributed 
environments because security breaches may occur at the 
remote user's site, at the service computer site, or along the 
communication link. Consequently, reliable two-way 
authentication of users and the services is essential for 
achieving security in a distributed environment. 

Two-way authentication schemes generally involve hand- 
shaking techniques so that each party may verify he or she 



is in communication with the desired party regardless of 
each party's location or the types of devices in use. The 
problem to be solved is one in which a user communicates 
with a service that wishes to learn and authenticate the user's 
identity and vice versa. To clarify the problem, there are 
three aspects of network security thai may be distinguished: 
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[dcDiification: 


the way in which a user or service is 




referenced. 


Autheaticatioa: 


the way in which a user may prove his or her 




ideality. 


Authorization: 


a method for determining what a given user 




may do. The same aspects apply to services 




as well as users. 



Identification 

A user's identity consists of a user name and a realm 
^ name. A reahn is a universe of identities. CompuServe 
Information Service (CIS) user IDs and America Online 
(AOL) screen names are two examples of realms. The 
combination of user name and realm typically shown as 
name@realm — identifies a user. Any given service recog- 
2^ nizes some particular set of identities. A reahn does not have 
to be large, though, either in number of users or size of 
service. For example, a single WWW server may have its 
own reakn of users. 



Often, a service recognizes only one realm: CIS recog- 
nizes only identities within the CIS realm and AOL recog- 
nizes only identities within the AOL realm. But, one can 
imagine a service that has agreements with both CIS and 
AOL. The service gives the user a choice of reaUns — 
"Please supply a CIS or AOL identity, and prove it" — and 
the user chooses a realm in which he or she has an identity. 
Identification, thus, provides the ability to identify, or to 
refer to, a user. 



40 



Authentication 



Authentication provides the ability to prove identity. 
When asking to do something for which a user's identity 
matters, the user may be asked for his or her identity — a user 
name and realm — and the service requires the user to prove 

45 that he is who he says he is. To accomplish this, most 
services use a secret called a pass-phrase, although it is not 
necessarily derived from text. Such a secret is sometimes 
called a secret key, but it is not necessarily used for encryp- 
tion. In this context, the fundamental problem to be solved 

50 is: How can a user prove his pass-phrase without revealing 
the pass-phrase in the process? 

Authorization 

Authorization refers to the process of determining 
whether a given user is allowed to do something. For 
example, may he post a message? May be use a surcharged 
service? It is important to realize that authentication and 
authorization are distinct processes — one related to proving 
an identity and the other related to the properties of an 
identity. The present invention is not related to 
authorization, but it is designed to co-exist with authoriza- 
tion mechanisms. 

Pass-phrase 
65 ^ 

A service that wishes to authenticate a user requires the 

user to identify himself or herself and to prove that he or she 
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knows the pass-phrase. Geaerally, the service prompts the third-party service, or to each other. If the service does not 

user for the pass-phrase. However, transmitliog tie plain text know the user's pass-phrase, then the user cannot prove to 

pass-phrases through a network comprises security because the service that be knows it. 

an eavesdropper may learn the pass-phrase as it U-avels One technique to address this problem is to have the 

through the network. X.25 networks have been 5 service prompt the user for her pass-phase. For example, 

compromised, and LANs, modem pools, and "The Inlemet" WWW service may display a Hypcr-Tcxt Markup Language 

likewise are not suitable for plain text pass-phrases due to (HTML) form with two boxes— one that asks for the user for 

the eavesdropper problem. Prompting for the pass-phrase, her user name and one that asks her for her pass-phrase. A 

whUe sufficient in the past, no longer works for extensive protocol such as SSL or SHTTP may be used so an cavcs- 

world-wide networks. lo dropper cannot see it. When the service receives the user's 

reply, the service may use a challenge -response technique to 
Fass-pnrase bncryp on verify the pass-phrase with a server that knows the pass- 
Encryption of the pass-phrase provides additional security phrases. But, there is a drawback to this technique. It is 
aod addresses the eavesdropper problem. Using encryption, important to teach a user not to type his or her pass-phrase 
the user encrypts the pass-phrase, sends the result to the j^t because somebody asks for it. This technique is com- 
service which then decrypts it. Some techniques are based monly used for cracking others' accounts. Teaching users to 
on a one-time key that prevents an eavesdropper from provide their pass-phrases in a HTML form is not a desirable 
decrypting the pass-phrase. solution because the pass-phrase is revealed, which is pre- 
TTiere are, however, problems with this technique as well. ^ ^^^^V ^^ould be avoided, especially if the seivice is a 
Somebody else — a spoofer — may pretend to be the service. spooter. 

The spoofer decrypts the result, learns the pass-phrase, and The pass-phrase database server also has some undcsir- 

gains the ability to masquerade as the user. Some people able side effects. Using this scheme, the service asks the user 

have spoofed services by getting users to dial into the for a copy of her pass-phrase. Now, an ordinary challenge- 

spoofer's computer. The spoofer advertises a dial up number response technique may be used. However, there is a need to 

for the service that is claimed to have been omitted from the get the pass-phrase from that database to the service, safely, 

directory of service numbers. The spoofer may entice people If the service call look up the pass-phrase, then anybody else 

to try the "unlisted" number by claiming it is much faster may do the same. Even worse, the entire pass-phrase data- 

than the listed numbers. Therefore, there is a need for a base may be accessed so that pass-phrases for many users 

mechanism that will not reveal the pass-phrase to anyone. naay be obtained. 

even if the user is interacting with a spoofer. Current authentication mechanisms are inadequate for the 

distributed systems, services, and users that comprise 

Challenge-response Techniques today^s world-wide networks such as the WWW/Internet. 

Challenge-response techniques involve a series of Users and services need a way to reliably authenticate one 

exchanges between a user and a service. The service sends 35 another that also meets specific design criteria. Users and 

the user a challenge, which is a random number, and the user services also have a need for a mechanism that is adaptable 

applies a one-way function to the number to calculate a to the many communication protocols used throughout 

result that depends on the chaUenge and the user's pass- world-wide networks and that is straightforward for users to 

phrase. The user sends the result to the service which T^^^se criteria aod others are met with the present 

performs the same calculation and compares the result to the 40 invention. 

result sent by the user. Done correctly, this technique reveals SUMMARY OF THE INVENTION 
no information to eavesdroppers, nor docs it allow a spoofer 

to acquire the pass-phrase — if a spoofer pretends to be the The present invention — Remote Passphrase Authentica- 

service. he learns the result only for a particular challenge— tion (RPA)— provides a way to authenticate a user to a 

which is of no value. Although such a technique works, it 45 service by using a pass-phrase over an insecure network, 

does not solve the problem completely. The service must without revealing the pass-phrase to eavesdroppers. RPA is 

know the pass-phrase in order to reproduce the user's designed so that the service need not know and does not 

calculation and verify the user's response to the service's learn the user's pass-phrase. Consequently, RPA is useful in 

challenge. distributed enviornments where it would be difficult or 

The service may not know the user's pass-phrase for 50 inappropriate to U^st a service with a pass-phrase database 

several reasons. A set of services may share a set of usere' or lo allow the service to learn enough to masquerade as the 

identities. For example, a collection of Web servers, scat- ^ser in a future authentication attempt. In one embodiment 

tcred throughout the world, may be part of a "Total Infor- of present invention, users and services on the WWW/ 

mation Service (TIS)." A user requesting access to TIS may Internet use the mechamsm of the present mvenUon to 

use her TIS user name and pass-phrase to identify herself to 55 authenticate one another. 

any TIS service. In accordance with one implementation, Using the present invention, a service may authenticate a 
each physical server may have a copy of all pass-phrases or user and a user may authenticate a service. Authentication is 
access to a master database containing all pass-phrases. This accomplished using pass-phrases (which may be derived 
solution may not, however, work under all scenarios— from textual phrases). The goal is to prove to the service that 
especially if some are third-party servers, not directly under 60 the user knows the pass-phrase, and vice versa. Techniques 
the control of the imaginary TIS. Or consider a service that are employed to minimize the possibility that the pass- 
accepts identities in multiple realms — for example, a service phrase is revealed to an eavesdropper or a spoofer. 
that has agreements with both CIS and AOL. The service Using RPA, a "user** communicates with a "service" that 
gives the user a choice of realms — Please supply a CIS or wishes to leara and authenticate the user's identity. An 
AOL identity, and prove it" — and the user chooses a reahn 55 authentication "deity" knows the users' and services' pass- 
in which he has an identity. It is unlikely that CIS and AOL phrases. The service communicates with the authentication 
will entrust a copy of their pass-phrase databases to a deity during the authentication process. If the service knows 
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the pass-phrases, then it acts as its own deity, simplifying the diallenge, the service's challenge, the user's response, 

implementation but, otherwise having no eSect oo the and the service's re^onse. 

mechanism. The deity uses the realm, service, and user name to look 

Identities for users exist in a "realm" which may be up the user's and service's pass-phrases, 

viewed as a relatively large collecuon of uscrsr-such as 5 ^^-jy ^^j^^^ ^ request, plus the service's 

compuserve.com or aol.com — but it may well consist of a pass-phrase to verify the service's response, 

small set of users (e.g., user names and pass-phrascs asso- ^^^^ ^^^^^ requesting service's identity, the deity 

cialcd with an mdividual Web server.) The service may ^ 1^ 

specify a set of realms so that it may recognize an identity ^rasc to verify the user's response. 

m any of the realms in which it participates. „ . . 

^ . . . . . . - , . Having venned both the user s and service s identity, the 

His auihenucatmn mechanism of ihe presenl invemion ^. ^^j^ ^ ^jg^j, ^j^^ ^ ^ 

consists of three related processes: autheat.cat.on, ^ ^^^^ 

reauthentication, and reauthentication cheaimg. Authentica- ^„ f«,.u« .-^ ™ ^ „ u ^ 

. , ^ ^ , , ... ^ ^ . encryption or for the reauthentication process described 

lion IS the fundamental process by which a user and a service ^^^^^ 

mutually authenticate one another within one of a set of . • . . . 

realms, without revealing their pass-phrases to one another. ^hc authenUcation deity generates and sends to the ser- 

Rcauthcnticalion is a process by which a user and service, a<"h«"«»"on *5 and the user, 

having recently authenticated one another, may again The service verifies its authentication proof and for- 

authenticate one another. They may, of course, simply repeat wards the other authentication proof to the user. The 

the authentication process, but that requires interaction with ^ ^^"^^ authentication proof, 

an authentication deity. The reauthentication process is DESCRIPTION OF THE DRAWING(S) 

faster, requu-ing no communication with a third party. Reau- ^ ' 

thentication is useful when multiple connections between FIG. 1 is a system block diagram for a preferred embodi- 

the user and service are established, whether sequential as in mcnt of the present invention; 

Hyper-Text Transfer Protocol (HTTP) or simultaneous, pj^ 2 illustrates an authentication protocol for a pre- 

Preferably, each connection is authenticated, but the reau- ^^^^^ embodiment of the present invention; and 

thentication process provides a shortcut. t-to ^ n . . t r 

rlG. 3 illustrates a reauthentication protocol for a pre- 

Authentication ferrcd embodiment of the present invention. 



Three parties or entities participate in the authentication DETAILED DESCRIPTION OF THE 

process: PREFERRED EMB0D1MENT(S) 
the user, 
the service; and 



Referring to FIG. 1, a system block diagram for a pre- 
ferred embodiment of the present invention is shown. Three 

the authentication deity. 35 ^jy^[^{^ parties participate in the authentication process of 

Each user has a user name and a pass -phrase in some jjj^ present invention* 

realm of interest. Similarly, each service has a name and a ^-y ia 

u • *u » t TT. u 4 ♦ ♦ u * • the user 12, 14; 
pass-phrase in that realm. The pass-phrase is not text, but is 

instead a 128-bit (16-octet) string of bits. However, it is service 20, 22; and 

often useful to use pass-phrases in the conventional, textual 40 the authentication deity 16, 18. 

sense, so a procedure is defined for converting a textual The entities communicate with one another via a global 

phrase to the 128-bit value used by the authentication computer network 10 such as the Internet. In an alternative 

mechanism of the present invention. embodiment, the three participating entities may be part of 

The service may specify a list of realms and the user may a small, domestic computer network. The computer network 

choose one in which he has an identity. For example, a CIS 10, which uses a message passing scheme for communica- 

user may choose to be authenticated in the CIS realm. Thus, tion between entities, may be comprised of network node 

a service is not restricted to authenticating identities in a computers 24 that route messages through the network to the 

single realm. The service possesses a name and pass-phrase communicating entities 12, 14, 16, 18, 20, 22. The network 

in all realms it specifies. oode computers may rely on servers 26 that access databases 

Each realm has an authentication deity that knows the 50 28 to obtain routing and other information needed to faciU- 

names and pass-phrases of its members. The service locates tate network trafific. 

an authentication deity for each realm. If the service knows To communicate with one another, each entity establishes 

the user's pass-phrase, it performs the role of the authenti- a connection 40, 42, 44, 46, 48, 50 to the network 10. 

cation deity itself, but this docs not afifecl the mechanism. Network connection options for the entities are varied and 

The primary steps for a preferred embodiment of the present 55 may include a local area network (LAN) or the public 

invention are as follows: telephone network via a modem or a dedicated line such as 

The service supplies a sequence of realms, with the a X.25 link or a satelUte or fiber optic link. Using addressing 

service's name in each realm, to the user. information provided by the users 12, 14 and services 20, 22, 

Tlie user chooses a realm. The chosen realm and the user's facilitates communications so that any one 

name in that realm are communicated to the service. ^°'»»y '"^V communicate, either in real tune or by leaving 

^ . . , 1 , 11 messages, with another entity on the network. For example, 

Tlie service and user exchange random chaUenges. f communicate with Service A 20, Service B 22, 

The user calculates a response and sends it to the service. user 2 (14). Service B 22 may communicate with Service 

The service calculates a response. A 20 or with either User 12, 14. Although two users and two 

The service sends a request to the authentication deity for 65 services are shown for simplicity, in reality, millions of users 

the realm in question. The request contains the realm and services may commimicate with one another through the 

name, the user's name, the service's name, the user's computer network 10. 
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To use RPA, each user 12, 14 is assigned a user name and 
a pass-phrase in some reahn of interest (e.g., compuserve- 
.com or aol.com). Similarly, each service 20, 22 has a name 
and a pass-phrase for the realms that it supports. The 
pass-phrase is not text, but is instead a 128-bit (16-octct) 
string of bits. However, it is often useful to use pass-phrases 
in the conventional, textual sense, so a procedure is defined 
for converting a textual phrase to the 128-bii value used by 
the authentication mechanism of the present invention. 

A service may support multiple realms, each of which has 
its own authentication deity 16, 18. By supporting multiple 
realms, a service may be able to increase its user base by 
making itself available to users who have a user name/pass- 
phrase in only one realm. User name/pass-phrase and 
servioe/pass-phrase pairs used by each authentication deity 
20, 30 that supports a particular realm may be stored in a 
database 30, 32 for retrieval during the authentication pro- 
cess. The authentication deity with which a service commu- 
nicates to complete the authentication process depends on 
the realms offered by the service and the realm selected by 
the user. The service then locates the authentication deity for 
the selected realm. If the service knows the user's pass- 
phrase, it performs the role of the authentication deity itself, 
but this does not affect the mechanism. 

The following values are involved in the authentication 
process of the present invention. 



As: 


AuLbenticatioo deity's response to service; 




proves user's identity 


Au: 


AuthcnticatioD deity's response to user. 




proves service's identity 


Cs: 


Challeage from service 


Cu: 


Challenge from user 


Kus: 


Session key for user and service 


Kuss: 


Session key obscured so visible only to 




service 


Kusu: 


Session key obscured so visible only to 




user 


Nr: 


Realm name 


Ns: 


Service name 


Nu: 


User name 


Ps: 


Service's pass-phrase, a 128 bit value 


Pu: 


User's pass-phrase, a 12S bit value 


Rs: 


Service's rc^xmse to challenge (during 




autbeotication process, goes to 




authentication deity; during 




reauthcQtication. goes to user) 


Ru: 


User's response to challenge (during 




authentication process, goes via service to 




authentication deity; d^ng 




reaulhentication, goes to service) 


Z: 


Padding consisting of 48 octets (384 bits) 




with all bits set to zero 


+: 


Concatenation of octet strings 


xor: 


Bitwise "Exclusive Or'* 
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Preferably, bit patterns for each value are specified so that 
different implementations may be supported. For example, 
one implementation may use ASCII, another EBCDIC, and 
another Unicode for the user name. Another implementation 
may convert the user name to lowercase and another to all 
caps. The different implementations produce different 
results for the same calculation so the authentication may 
fail. The details may be left to underlying protocol, but that 
makes the service-to-deity protocol dependent on the user- 
to-service protocol. Using such a scheme makes it difficult 
to provide a single deity for each realm. By specifying the 
bit patterns, any mixture of user-to-service and service-to- 
deity protocols may be used to operate on the same data. 

The following conventions faicilitate the development of 
a single deity to support multiple realms. Preferably, text 
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50 
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65 



Strings are represented in the Unicode character set, in 
big-endian byte order, without a trailing null character. Each 
16-bit Unicode character may be stored in two octets, with 
its high order 8 bits in the first octet. The specification refers 
only to values used in the authentication calculations, not the 
urxJerlying protocol. For example, a protocol may use ASCII 
for user names, if that character set is adequate. The ASCII 
characters may be converted to Unicode before using them 
in authentication calculations, but the protocol need not 
transmit Unicode characters. 

Names — Nr, Ns, Nu — are converted to lowercase Uni- 
code. 

Challenges — Cs, Cu — are arbitrary strings of octets, not 
text They may contain any bit patterns, including nulls, 
and are preferably, at least eight octets in length. 

Pass-phrases — Ps, Pu — are 16-octet quantities that con- 
tain arbitrary bit patterns, including nulls. If the pass- 
phrase is based on a textual phrase, the texmal phrase 
is converted to a 16-octet quantity by the following 
process: 

Convert the text string to a sequence of characters in 
either the Unicode or ISO 8859-1 character sets, as 
appropriate for the reahn. 
Convert each character to its lowercase equivalent, or 
its uppercase equivalent, or leave it alone, as appro- 
priate for the reahn. 
Store the sequence of characters in an octet stream, 
with each Unicode character in two consecutive 
octets in big-endian order, or each ISO 8859-1 
character in one octet. 
Take the MD5 digest of the resulting string of octets. 
The resuU is the 128 -bit value to use in the authen- 
tication calculations. 
A realm specifies which of the preceding options — 
character set, case conversion, and hash function — it uses 
for the text-to-1 28-bit value transformation. Preferably, the 
defaults are Unicode, convert to lowercase, and MD5. The 
user-service protocol may be designed to convey the appro- 
priate options for each realm from the service to the user, if 
other than the defaults are to be supported, to avoid requiring 
the (human) user to manually configure software. 

Referring to FIG. 2, the primary steps for a preferred 
embodiment of the present invention are shown. 
The authentication process begins when a user attempts to 

access a service 60. 
In response to the user's access attempt, the service 
supplies a sequence of realms, with the service's name 
in each realm, to the user 62. A user may choose a realm 
in which he has an identity. For example, a CIS user 
may choose to be authenticated in the CIS realm while 
an AOL user may choose to be authenticated in the 
AOL realm, [foo@compuserve.com bar@aol.com may 
mean "Please identify yourself with a CIS user ID. If 
you don*t have one, your AOL ID will do."] Preferably, 
the service indicates its realm preferences in most- 
preferred to least-preferred order. By specifying only 
one real the service requires identification in that realm. 
The user chooses a realm, Nr, and gives it and his name 
in that reahn, Nu, to the service 64. That, in turn, 
determines Ns, the service's name in that reahn. Note 
that a protocol may allow the service to include a null 
realm name, meaning **V\\ accept you as an anonymous 
user if you wish." The user may make this choice by 
supplying a nuU name; then the process stops here, and 
no authentication is performed. 
The service transmits a random challenge, Cs 66. The 
challenges are random values that make each authen- 
tication imique. 
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The user sends a random challenge, Cu 68. 
The user calculates a response, Ru: 

Ru-MD5(Pu+Z+Nu+Ns+Nr+Cu+C&+Pu) 
The response is sent to the service 70. Only the real user 
may generate the correct response because it depends 
on the user's pass-phrase, Pu. Generally, user's pass- 
phrase may not be determined from a captured 
response because it's generated by a one-way func- 
tion (although there is the risk of a dictionary attack 
if Pu is based on a poorly chosen pass-phrase.) 
The service calculates a response, Rs: 

Rs-MD5(Ps+Z+Nu+Ns+Nr+Cu4Cs+Ru+Ps) 
This response is nol sent to the user. It may be seen by 
the user, but the user does not need it. 
The service sends a request to the authentication deity for 
the realm in question 72. The request contains the reahn 
name, Nr (included so the same deity may serve more 
than one realm), the user's name, Nu, the service's 
name, Ns, the user's challenge, Cu, the service's 
challenge, Cs, the user's response, Ru, the service's 
response, Rs. 

The deity uses Nr, Ns, and Nu to look up the user's and 
service's pass-phrases. 

The deity uses the values in the request, plus the service's 
pass-phrase, Ps, to verify Rs. If it is incorrect, the deity 
returns a negative response as this request apparently 
did not come from a legitimate service 74. 

Having verified the requesting service's identity, the deity 
uses the values in the request plus the user's pass- 
phrase, Pu, to verify Ru. If it is incorrect, the deity 
returns a failure response to the service as the user does 
not know the correct pass-phrase 74. 

Having verified both the user's and service's identity, the 
deity creates a random, 128-bit session key, Kus, for 
use by the user and service. Tliey may use it for session 
encryption. In addition, it may be xised in the reaulhen- 
tication process described later. 

The deity generates two obscured copies of the session 
key: 

Kuss«Kus xor MD5(Ps+Z+Ns+Nu+Nr+Cs+Cu+Ps) 
Kusu-Kus xor MD5(Pu+Zri-Ns+Nu+Nr+Cs+Cu+Pu) 
The obscuring masks resemble Ru and Rs, but differ so 

an eavesdropper may not recover Kus. 
The deity generates a pair of authentication "proofs": 
Au«MD5(Pu+Z+Ns+Nu+Nr+Kusu+Cs-i<:u+Kus+Pu) 
As-MD5(Ps+Z+Ns+Nu+Nr+Kuss+Cs+Cu+Kus+M+ 

Ps) 

Here "M" is the message transmitted from the deity to 
the service. It is included in the calculation to authen- 
ticate the response to the service. 
The deity sends the four values Kuss, Kusu, As, and Au 

to the service. 

The service extracts its copy of the session key from Kuss 
by calculating the obscuring mask value and XORing. 
(The service may determine the user's key-obscuring 
value by calculating Kus xor Kusu. If the user sees 
Kuss, it may do likewise. But the obscuring masks 
reveal nothing.) 

The service verifies As by performing the same calcula- 
tion and comparing the result. If it matches, the service 
knows that someone who knows its pass-phrase — the 
deity — replied, having verified that the user is who he 
claims to be. 

The service forwards Kusu and Au to the user 78. 

The user extracts its copy of the session key from Kusu by 
calculating the mask value and XORing. 
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The user verifies Au by computing it and comparing it to 
the service response Rs. If it matches, the user knows 
that someone who knows his pass-phrase — the deity — 
replied, having verified that the service is who it claims 
5 to be. 

Now the user and service are confident of each 
others' identities, and the two parties share a session key that 
they may use for encryption, if they so choose. 

ReauthcDtication 

Reauthentication is a process by which a user and service, 
having recently authenticated each other, may again mutu- 
ally authenticate without talking to a deity. This technique is 
useful for protocols such as HTTP which involve a sequence 
15 of connections that arc independently authenticated. It is 
also useful with parallel conncctions-for example, in a 
scheme in which a user and service are connected and wish 
to establish a second connection. 
To re authenticate one another, the user and service prove 
20 to each other that they both possess a secret 128-bit key-the 
session key, Kus, derived during the authentication process. 
The reauthentication process is essentially an ordinary 
challenge-response mechanism in which the session key is 
used as a pass-phrase. 
The service sends a challenge, Cs, to the user 80. 
The user sends a challenge, Cu, to the service 82. 
The user calculates Ru: 

Ru=MD5(Kus+Z+Ns+Nu+Nr+Cs+Cu+Kus) 
2g The response is sent to the service 84. 

The service verifies the result, Ru. If correct, it calculates 
Rs: 

Rs=xMD5(Kus+Z+Nu+Ns+Nr+Cu+C^+Kus) 
The response is sent to the user 86. (Both responses 
35 involve the same set of values, but they are used in 

a different order, so the responses are different.) 
Tlie user verifies the resuh. 

Reauthentication Cheating 

^ In some protocols, it may be more efiBcient to shortcut the 
reauthentication process by cheating. One technique is to 
allow the Authorization header to be replayed (replay). For 
example, to embed a challenge- response technique in HTTP, 
two HTTP transactions may be used for authentication 
45 because a challenge may not be sent and a response received 
in one HTTP transaction. However, if the user may be 
challenged without sending a challenge to the user, authen- 
tication may be accomplished in one HTTP transaction. A 
single HTTP transaction may be used to accomplish authen- 
5Q tication by treating the Uniform Resource Identifier (URl) as 
a challenge as follows; 
The first time, the user and service perform the authen- 
tication process as described above. 
The user and service remember the session key (Kus) and 
55 challenges (Cu and Cs). 

When the user generates an HTTP request, he includes an 
Authorization header containing a response calculated 
as: 

MD5(Kus+Z+Ns4Nu+Nr+Cs+Cu+method+URI+Kus) 
60 The method and URI are canonicalized by taking the 
big-endian Unicode representation and converting all char- 
acters to lowercase. Preferably, the URI does not include the 
scheme://host:pon. Preferably, it begins with a slash. For 
example, for httpyAvww.foo.com, the one-character string 
65 "r may be used. 

Now the authentication response is unique for each URI, 
and calculable by the authenticated user, even without a 
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unique chaUenge. This risk associated with replay is not 
eliminated completely, but an attacker may replay only a 
previously referenced URI during the window in which the 
service considers the session key to be valid. When reading 
Web pages, the only impact of replay is that the attacker may 
re-read the page. Such a risk may be acceptable because the 
attacker saw the page when it was captured it along with the 
original request. 

In the event the user is charged per page or if the request 
"did" something, replays may be handled as follows. One 
strategy to address the problem is to maintain some history. 
In its simplest form, the service sets a flag for this session 
when it docs something for which replay is not acceptable. 
If the user tries reauthentication cheating, and the flag is set, 
the service forces reauthentication. Because the cheating 
response is based on Cu and Cs, and those values change 
during reauthentication, the correct respotise for a given URI 
changes after reauthentication. Thus, reauthentication cre- 
ates a boundary after which previous requests may not be 
replayed. 

Alternatively, the service may maintain a history of URIs 
for which replay may be inadequate. Using this scenario, 
reauthentication may be required only if the user tries 
reauthentication cheating on one of those URIs. 

Service-to-Dcity Protocol 

The protocol used by the service and authentication deity 
in a preferred embodiment of the present invention may be 
summarized as follows. The service sends a request to the 
authentication deity and receives a reply. The requests and 
replies may be packaged in User Datagram Protocol (UDP) 
datagrams, or as byte streams over a Transport Control 
Protocol (TCP) connection. 

Finding the deity is a service configuration issue that may 
be resolved in several different ways. Preferably, the service 
knows the IP addresses. TCP or UDP port numbers, etc.. for 
the deities for a particular realm. Also, the service knows its 
name and pass-phrase in that reahn. 

Object Formats - 

In a preferred embodiment of the protocol of the present 
invention, every message is an object composed of other 
objects. Every object consists of a type-length-value 
encoded structure: 



TVpe [.cngth MSB Length LSB \^luc octet 1 

Value octet 2 Value octet 3 \Wuc octet 4 



Each box represents one octet. Octets are transmitted in 
order from left to right, top to bottom. 

"Type" is a single octet that identifies the type of the 
object. 

"Length" indicates the number of octets following the 
length field, is a L6-bit, big-endian value. The appro- 
priate number of value octets — possibly none — follow 
the length field. Their meaning is determined by the 
type of the object; in some cases, the value octets 
contain a sequence of other objects. 
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Here is an example of an object that contains 4 value octets: 



5 


TVpe 


00000000 


0 0000 1 00 


Vblue octet 1 




Value octet 2 


V^luc ocwt 3 


Vfelue oact 4 





Here is an example of an object that contains 1,000 value 
octets: 

10 



15 



TVpe 


0000 00 1 1 


1110 1000 


V%lue octet 1 


Vfelue octet 2 


VWuc octet 3 


V^hic octet 4 


Nfeluc octet 5 


\^liie octet 996 


\Wue octet 997 


Mihie octet 998 


\^luc octet 999 


Vilue octcUOOO 









Preferably, no padding or alignment is used. If an object 
20 contains sub-objects, they follow one another with no pad- 
ding. For example, an object whose value consists of three 
sub<ibjects may be represented as follows: 



25 



30 



Object type 


oooocooo 


00001111 


Sub-obj 1 type 


00000000 


00000101 


Vihic octet 1 


V^luc octet 2 


Vklue octet 3 


Value octet 4 


\ilue octet 5 


Sub-obj 2 type 


00000000 


OOOOCOOO 


Sub-obj 3 type 


00000000 


00000001 


\%Juc octet 1 





In this example, there is a single object whose value 
contains 15 octets. In this example, the value is a sequence 
of three objects; the first of which contains five octets, the 
35 second of which is zero length, and third of which contains 
one octet. The meaning of each object depends on its type. 

The term "sub -object" may refer to an object when it is a 
part of another object, but this is merely a matter of 
terminology. There is no difference in encoding nor in the 
meaning of the type field, regardless of whether the object 
is contained in some other object or not. 

The Deity Information Field 

All messages may contain a field ("deity information 
field") that conveys information defined by a particular 
45 deity. The deity information field may be used in three 
contexts: 

In a request, a service may use the deity information field 
to tell the deity the nature of the aaion for which 
authentication is being performed, if there is some 
50 reason to do so. In addition, the service may ask the 
deity for particular information about the user name 
h>eing authenticated, although, in general, the deity 
already knows what additional information to return to 
a particular service. 
55 In an affirmative response, the deity may return additional 
information about the user name. 
In other responses, the deity information field may indi- 
cate something about the nature of the problem. 
In general, different deities and services have different 
information appropriate for inclusion in the deity informa- 
tion field. It is difficult to conceive of a tmly "standard" set 
of information to be included in the deity information field. 
Thus, the definition of the deity infonnation field's contents 
is left to each deity. 

65 , Message Object Types 

There are seven message object types, one for a request 
and six kinds of replies. 
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Autbentication Request 

Aulheoiicalion response, afiSnnative 

Authentication response, no service 

Authentication response, negative 

Authentication response, invalid service 

Authentication response, problem 

The various response flavors indicate various conditions 
of the account as described below. A message is an object 
that contains other objects. Preferably, the message itself is 
encoded as a type, length, and value, as described above, 
where the value consists of the concatenation of the com- 
ponent objects of that message. Each cooiponent object 
consists of its own type, length, and value. Unless stated to 
the contrary, all messages contain exactly the objects indi- 
cated in the order shown. Optional components, sudi as the 
deity information field, may be omitted. 

Authentication Request 

An authentication request contains the following sub- 
objects. 



Request identifier 

Nr (Realm name) 
Ns (Service name) 
Nu (User oamc) 
Cu (Challenge from user) 
Cs (Challenge from service) 
Ru (Response from user) 
Deity Information (optional) 
Rs (Response from service) 
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As is calculated as: 

MD5(Ps+Z+Ns+Nu+Nr+Kuss+Cs+Cu+Kus+M+Ps) 
where M is the request shown above, octet by octet, from the 
type octet for the containing object through the last octet of 

5 the length field of the As object, inclusive. This serves to 
protect the entire request. Note that the Nu mentioned as the 
third component in the formula is the originally specified 
user name, not the altered -case version in the response 
message. An afl&rmative response does not necessarily mean 

jQ that it is reasonable to provide service to the user. Often, 
there are criteria beyond a "yes" answer, that could mean 
anything from "it's a valid user** to "it*s a valid user, but not 
billable" to "it is an accoimt that was signed up five minutes 
ago and we haven't had a chance to look at it yet." 

Typically, the authentication deity applies criteria appro- 
priate to the requesting service. For example, if the service 
does not want to allow "free" users, the authentication deity 
may be configured to return a no-service response for such 
a user. Alternatively, the deity may be configured to provide 
an afiSrmative response, but include information in the deity 

20 information field that permits the service to distinguish 
"free" from "paying" users and treat ihem differently. 

Authentication Response, No Service 

The no-service response is an indication that the user is 
25 whom she claims to be, but she is not entitled to access the 
service for one reason or another. For example, she may be 
a "free" user, but the service is provided only to paying 
accounts, or her billing choices may not include the service, 
or Customer Service may be waiting for her to provide a new 
credit card number. The authentication deity's configuration 
for this particular service determines the aiteria applied by 
the deity when making the decision to reply aCBrmative or no 
service. 



The request identifier contains arbitrary data that is not 
interpreted by the deity. It is echoed in a response to provide 
a way for the requesting service to match requests and 
responses. The deity information field contains additional 
information about the request, and is described below. 
Usually, it is omitted or null, (i.e., zero-length.) 

Rs is calculated as MD5(Ps+Z+M+Ps), where M is the 
request shown above, octet by octet, from the type octet for 
the message object itself through the last length octet of the 
length field of the Rs object. Thus, it serves to protect the 
entire request, including its structure, length, etc. 

Authentication Response, Affirmative 

An affirmative response indicates that the user name is 
recognized, and is indeed the user the service is talking to. 



Request idenlilicr 

Canonical Nu (User name, case corrected) 
Kuss (Key obscured for service) 
Kusu (Key obscured for user) 
Au (Authentication value for user) 
Deity [nformation Field (optional) 
As (Authentication value for service) 



Preferably, the response contains the canonical user name 
in the desired case and is not the same object type as Nu in 
the request. In an environment that is not case sensitive, this 
is the preferred form of the name, which may differ from the 
name in the request. The deity information field may contain 
additional information about the user name. 



35 

Request identifier 

Canonical Nu (User name, case corrected) 
Kuss (Key obscured for service) 
Kusu (Key obscured for user) 
4Q Au (Authentication value for user) 

Deity Infoimation Field (optional) 
As (Authentication value for service) 



The contents of this object arc identical to those for an 
45 affirmative response, but the service docs not normally use 
the keys or Au values. The deity information field may 
include information useful in distinguishing the reason for 
the no service response, if appropriate for this service. 

Authentication Response, Negative 

A negative response means the user is not who she says 
she is. This response may result for several reasons. First, 
there may be such a, user name, but the service is not 
communicating with the actual user. Also, there may be such 
a user name, but it is not an enabled account. Alternatively, 
there may be no such user name. 



Request identifier 

60 

Deity Information Field (optional) 
As (Authentication value for service) 



As is calculated as MD5(Ps+Z+M+Ps).The message may 
65 contain a deity information field if there is additional infor- 
mation about the problem (e.g., for logging), but it may be 
omitted. 
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AutbeoticatioD Response, Invalid Service 

An invalid request response means the request may not be 
processed because the service is not what it claims to be as, 
apparently, the service's pass-phrase is not known. The 
negative response may also be based on any other kind of 
authentication checking done by the deity. 



Request ideniifier 

Deity Information Kcld (optional) 



The deity information field, if present, contains informa- 
tion that allows the deity administrators to trace the problem. 
There is no As field because there is no shared secret to 
authenticate the response. 

Authentication Response, Problem 

A "problem" response indicates that the request may not 
be processed for some reason. There may be a failure in the 
system, an unparsablc request, or a request for a realm that 
is not handled by this deity. Other problems may also result 
in this response. 



Request identifier 

Deity Information Encld (optional) 
As (optional) 



The Deity Information Field may contain information that 
allows the deity administrators to trace the problem. As may 
or may not be present, depending on the nature of the 
problem (i.e., whether there is a known shared secret with 
the server), if present, it is calculated as 

MD5(Ps+Z+M+Ps) 

Object Types 

The following types of objects may be defined in this 
protocol. These object types apply to the messages them- 
selves and objects contained in messages. These types do not 
apply to the contents of the deity information field. 

Authentication request — type 1 — The request to the 
authentication deity. Its contents consist of a sequence of 
other objects is described elsewhere. 

Authentication response, afiSrmative — type 2 
Authentication response, no service — type 3 
Authentication response, negative — type 4 
Authentication response, invalid service — type 5 
Authentication response, problem — type 6 
Request identitfier— type 128 — A request contains an 
identifier to assist in matching replies to requests. This 
identifier is opaque to the deity and is simply echoed in the 
reply so its value is defined only by the requesting entity. 
Preferably, the value is unique for each request, but it is 
otherwise meaningless. It may be of any length. 

Realm name — type 129 — ^The name of the reakn in which 
the user's and service's identities exist. This value is 
included in the request to allow a deity to serve more than 
one realm. Preferably, the value consists of the name in 
Unicode, in big-endian order. There is no terminating null 
character, and the realm is generally treated as being case 
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insensitive. For example, the realm aol.com may appear as 
follows: 



5 



10000001 


00000000 


00001110 


00000000 


01100001 


00000000 


01101111 


00000000 


onoiloo 


00000000 


00101110 


00000000 


onooon 


00000000 


OUOllU 


00000000 


01101101 









The type is 129, fourteen octets follow, and the big-endian 
Unicode representation of the seven characters "aol.com". 

Service name — type 130 — The name of the service in 
big-endian Unicode. 
15 User name — type 131 — The name of the user in big- 
endian Unicode, (e.g., gsb.) 

User challenge — type 132 — The user's challenge, a 
sequence of random octets. The length is not bounded by the 
protocol, but the deity may impose length restrictions, (e.g., 
2Q a minimum and maximum length.) All bit patterns are 
permitted in the challenge. 

Service challenge — type 133 — ^The service's challenge, a 
sequence of random octets. The length is not bounded by the 
protocol, but the deity may impose length restrictions, (e.g., 
25 a minimum and maximum length.) All bit patterns are 
permitted in the challenge. 

User's response — type 135 — ^The user's response, con- 
taining 16 octets with the value specified above. TCs value 
is binary so any bit pattern may be used. 
3Q Service's response — type 136 — The service's response, 
calculated as described above. This value is binary so any bit 
pattern may be used. 

Key obscured for user — type 137 — ^The key for the user, 
containing 16 octets as described in above. This value is 
35 binary so any bit pattern may be used. 

Key obscured for service — type 138 — ^The key for the 
service, containing 16 octets as described above. This value 
is binary so any bit pattern may be used. 
Authenitication proof for user — type 139 — ^The authenti- 
4Q cation proof, Au, for the user, containing 16 octets as 
described above. This value is binary so any bit pattern may 
be used. 

Authentication proof for service — type 140 — ^The authen- 
tication proof, As, for the service, containing 16 octets 
45 calculated as described above. This value is binary so any bit 
paiiem may be used. 

Canonical user name — type 141 — The user name 
adjusted to canonical case, in big-endian Unicode. 

Deity Information Field — type 142— Deity-specific 
5Q request and response information. It may include a sequence 
of objects that contain information about the user's account, 
or indicate, by their presence or absence, some characteristic 
of the user's account. The use of any particular object is a 
function of the deity's configuration for a particular service. 
55 Consider, for example, a "free" account in an environment 
where services are normally provided for a price. There are 
three most -likely possibihties for how the deity may handle 
a free account when a particular service asks the deity to 
authenticate a user: 
5Q If the account is free, return an af&rmative response. 

If the account is free, return an affirmative response and 
include a "free" indicator in the deity information field. 
If the account is free, return a no-service response. 
The first alternative may be appropriate for a service that 
65 provides service to free users, when the service is not 
concerned whether the user is paying or not The second 
alternative may be appropriate for a service that provides 
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service to &ee users and handles free and paying users names, session key, challenges, state, etc. Authentication 

differently (e.g., provides a different class of service to free schemes to be included in the headers may also be defined, 

users than not-free users.) The third alternative may be The client begins by making a request for which the server 

appropriate for a service that does not provide service to free requires identification and authentication. If there is no 

users. In that case, the deity may include a free indicator in 5 Authorization teader in the request, the server requests 

the deity information field, to note the reason. authentication. All WWW-Authenticate and Authorization 

Services may use the deity information field differently headers used with this scheme may include a Version 

depending on the needs of the service. Therefore, the deity attribute to identify the version of the protocol in use. When 

information field format, preferably, is flexible to accom- omitted, as in the examples below, Versiono"!" may be 

modalc the different ways in which services may use the 10 implied, for this version of the proUDCol. 
field. A service-deity pair may define the deity infonmation 

field in accordance with the type of information to be Auththcntication 

exchanged. Preferably, one type of sub-object that contains -j^e server creates a new security context, assigns it an 

textual attributeA^alue pairs is defined to provide a standard identifier, and responds 401 Unauthorized and includes the 

encoding for one common need. 15 header: 

Type 1 — tribute/value pairs — If the deity information 
field contains a type-1 — object, that object may be com- 
posed of a sequence of textual attribute/value pairs, where 

the value is optional. Sometimes, the presence or absence of www-AuthcnUcate: 

an attribute is significant, with no need for a corresponding 20 Remote-Pass hiase 

value. An aturibute consists of a sequence of Unicode Realm - "compuscrvccom", 

characters in the syntax attribute ["=" value] (i.e., the state - "initiar, 

attribute name optionally followed by an character (code Realms - "authen@compuserve.com 

003D) and a value.) AU characters may be taken from the ctS^e^^fa^^^'ott^^^^ <*^>eagc". 

Unicode character set and stored in big-cndian byte order. 25 Sccurity-Context - "cpnquc" 

The attribute name may consist of any characters except a 

null or equal sign. The value may consist of any characters 

except a null. token specifies the authentication scheme, 

Remote-Passphrase. Following is a comma-separated list of 

HyperText Transfer Protocol Embodiment attribute-value pairs. In HTTP, the first attribute is called 

In one embodiment of the present invention, the mecha- "Realm" and specifies the realm in which the user, 

nism of RPA is adapted to work with the Hyper-Text preferably, indicates his identity. However, RPA supports 

Transfer Protocol (HTTP) of the WWW/Internet. The HTTP multiple realms so this is merely one realm acceptable to the 

client may indicate that it supports this authentication server — perhaps its preferred realm. The State attribute may 

mechanism by whatever technique is appropriate. For distinguish this as the initial request for authentication, 

example, when requesting access to a service, the client may The Realms attribute may provide a list of realms in the 

include a header such as "Extension: Security/Remote- order preferred by the server, with the server's name in each 

Passphrase" to indicate its ability to perform this authenti- realm. Each may be followed by a colon and a list of 

cation mechanism. The extension mechanism is independent parameters separated by commas to drive the transformation 

of the authentication mechanism. from pass-phrase to 128-bit shared secret for that particular 

Next, a security context may be defined which represents realm. The default transformation, if the colon and param- 

a logical connection between a user (client) and Web server. ctcrs are omitted, is the Unicode character set in big-cndian 

Preferably, because the context spans HTTP connections, ("network") byte order with all characters converted to 

the server assigns a security context identifier — an opaque lowercase and the MD5 hash algorithm, 

string — when it creates a context. The servere asigns all ^5 Preferably, a single parameter, "none", is used to imply 

identifier when it creates a context and it informs the client that the client akcady possesses a 128-bit value and no 

of its value in the Security-Context attribute of the WWW- transformation from a textual pass-phrase is defined. 

Authenticate header. The client includes the identifier in the Otherwise, three parameters may control the transformation 

Authorization header of subsequent requests that refer to the from a textual pass-phrase to the 128-bit shared secret used 

same context. 5q by the authentication mechanism, if such a transformation 

From the client's point of view, the pair (server IP address, takes place. The three parameters specify the character set: 

security context identifier) uniquely identifies a context. The Unicode 1 .1 ("unicode-1-1") or ISO 8859-1 ("iso-8859-1"); 

same is essentially true for the server, although a server may case conversion: convert to all caps ("uc"), all lowercase 

make its security context identifiers unique, rather than ("Ic"), or as-is with no case conversion ("nc**); and hash 

(client IP address, identifier) pairs. 55 function: MD5 ("md5"). Omitting the colon and parameters 

A client may refer to the same security context from is equivalent to specifying "unicode-1-1 4c,md5", These 

different IP addresses, if he switches proxies. The client IP parameters are part of the base authentication mechanism 

address alone may not be adequate to identify the security specification. Only the means of conveying them, and the 

coniext.Amultiple-user host, an HTTP proxy, and a SOCKS textual names shown above, are specific to this HTTP 
server are examples of situations in which the same IP go authentication scheme. Other variations may be added, but 

address may be involved in many security contexts. Even an preferably, they are added to the base authentication mecha - 

individual PC running two browsers falls into this nism. 

category — if the user connects to a server from both The Challenge attribute specifies the service's challenge, 

browsers, two security contexts arc established that may or It is an arbitrarily long sequence of octets containing arbi- 

may not refer to the same user identity. 55 trary bit patterns, represented in base64. The client decodes 

The security context "contains" information appropriate it before using it in the authentication calculations. It may 

to the context, such as the realm name, user and service contain nulls or any other bit patterns. The client may 
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decline to trust the server and abort at this point, if it deems 
the challenge to be too short. 

The Security -Context attribute contains the server- 
assigned security context identifier — an opaque string. The 
client creates its security context and repeats the request 
with an Authorization header: 



Auihorization: 



Remote-Passphrasc 

Stale - "Initial" 

Security-Context - "opaque", 

Realm = "compuscrvc.com'*. 

User name - "70003.1215", 

Challenge - "base64 encoding of user challenge'*. 

Response « *1)asc64 encoding of response" 



The first token specifies the authorization scheme. It is 
followed by the state, "Initial" for the initial authentication; 
the security context identifier; the realm chosen by the user; 
the user's identity in that realm; the user's challenge; and the 
user's response. The service looks up the security context. If 
the security context identifier refers to no context or refers 
to a context that is already established, the server creates a 
new security context with a new identifier, then responds 
401 Unauthorized and includes a fresh WWW-Authenticatc 
header, as shown above, with which the client may repeat the 
request with correct authentication information. 

Any existing security context is unaffected. If the context 
identifier is recognized and that context is in the awaiting 
authentication stale, the server performs the authentication 
process. The server may verify that the clients' s IP address 
matches that in the previous request that created the "pend- 
ing" context. 

If the authentication process fails, preferably, the server 
refuses to process the request, but does not delete the 
"pending" security context. It generates a 401 Unauthorized 
response with a WWW-Aulhenticate header that indicates 
failure: 



www-Authenticate: 



Remote- Paasphrasc 
Realm = "nonsense**. 
State - "Failed" 



It Ls up to the chent to try the request again (without an 
Authorization header), restarting the entire process, if it 
believes that it was using the wrong pass-phrase but, it now 
has the right pass-phrase. 

Otherwise, having sucoessftilly authenticated the user, the 
server processes the client's request and returns an appro- 
priate response, including in its reply the following: 



www-Authenticate: 



Re mote- Passphrase 
Realm • "realm in use", 
State * "Authenticated", 

Session-Key - "base64 encoding of session key", 
Response = "base64 encoding of response" 



The "Authenticated" stale indicates that the user was 
successfully authenticated, and includes the session key 
which is masked so only the user may extract it (Kusu), and 
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the authentication deity's proof of the serWoe's identity (Au, 
not Rs). The reahn may be ignored, but preferably indicates 
the realm in which the identity was authenticated. 

5 Reauthentication Cheating 

Reauthentication cheating is a further optimization for an 
embodiment of the present invention compatible with HTTP. 
In general, the HTTP protocol is quite unfriendly to 
challenge-response mechanisms. However, the reauthenti- 
cation cheating technique of the present invention may be 
performed in parallel with an HTTP transaction. The "one- 
way" handshake of reauthentication cheating is preferable to 
the true reauthentication which is just as simple, but involves 
two sequential requests because of the characteristics of 
15 HTTP. 

In subsequent requests, the client tries to cheat by includ- 
ing an Authorization header in its request: 

20 

Authorization: 



Re mote- Passphrase 
State - "Cheating**, 
Security -Context - "opaque*', 
25 Response - *^ase64 encoding of response" 



where the response is calculated based on the previously 
agreed-upon values plus the canonicalized method aid 

30 URl of this request. 

The HTTP specification suggests that clients be allowed 
to replay the previous Authorization header, but it includes 
an escape clause — "for a period of time determined by the 
authentication scheme" — so that period of lime may be 

^2 declared to be zero. If the server is willing to accept the use 
of reauihemicaiion cheating, and the response is correct, the 
server may process the request without comment. If it 
recognizes the security context but, is not willing to cheat 
(e.g., it recognizes a replay) the server may demand reau- 
thentication. If it does not recognize the security context or 
if it recognizes the context but, the cUenl's response is 
incorrect, the server requests authentication but, does not 
delete the existing security context. In either of these cases, 
the server responds 401 Unauthorized and includes the 
appropriate WWW-Aulhenticate header. 

45 

Reauthentication 

If the server chooses to require reauthentication, it replies 
401 Unauthorized and includes the header: 

50 



www-Authenticate: 



Rcmo tc- Passphrase 
55 Realm = "realm in use". 

State - "Reauthenticate", 

Challenge - ''basc64 encoding of service challenge" 



The client retries the request with an Authorization field: 

60 



Authorization: 



Remote-Passpbrase 
State • "Reauthenticate", 
Security-Context ■ "opaque'*. 
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•continued 
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Authorizatton: 



Challenge < 
Response - 



''base64 enoodisg of user c±allenge", 
"base64 encoding of response" 



If the response is correct — the user has proven his knowl- 
edge of the previously generated Kus for this context — the 
server processes the request and includes in its reply: 



10 



WWW-Aulhenticate: 

Re mote - Pessph ras e 

Realm • "realm in use". 

State m "Reauthenticated", 

Re^nse - ''base64 encoding of response" 
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The pasi-tcnsc state indicates successful rcauthentication 
and includes the server's response. This response is of 
debatable relevance to HTTP given that the client's use of 
reauthentication cheating implies its willingness to trust that 
the server's identity has not changed. 

If the client's response is incorrect, the server does not 
process the request. However, there is a possibihty that the 
client attempted to do reauthentication with an old security 
context identifier that has been reused by the server. 
Although the server preferably avoids reusing security con- 
text identifiers, it may attempt to avert the problem by 
forcing authentication by responding 401 Unauthorized and 
including the header described above under Authentication. 

Summary 

The need for secure commimications is growing as the use 
of global computer networks increases. Users and services 
want assurance that they are communicating with the desired 
entity. Users and services have a need to learn and authen- 
ticate each other's identity. Consequently, there is a need for 
an authentication mechanism that provides a high level of ^0 
security and is adaptable and flexible enough for use with 
many different protocols used by communicating entities on 
global computer networks. The authentication mechanism of 
the present invention meets these criteria and others includ- 
ing: 

The service learns and authenticates the user's identity. 

The user learas and authenticates the service's identity. 

The mechanism is based on shared secrets: "pass-phrases" 
although they can be arbitrary bit patterns rather than 
text. It relies on the knowledge of the user rather than 
the user's location, point of access, access device, etc. 

Neither the user nor the service nor eavesdroppers will 
leara the other's pass-phrase so neither the user nor the 
service will acquire the ability to impersonate the other. 

The mechanism derives a shared secret that may be used 
as a session key for subsequent authentication. 

The mechanism is easy to implement in clients and docs 
not require the client to communicate with a third party 
(e.g., authentication deity). 

The mechanism may be incorporated into almost any 
prolocoL The mechanism is not designed around a 
protocol; the protocol is designed around the mecha- 
nism It is suitable for incorporation into protocols such 
as HTTP. 

The mechanism provides the ability to accept an identity 
in any of a set of realms in which the user and service 
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are members. Users may be authenticated in a familiar 
realm. They are not required to remember a separate 
pass phrase for every service nor are ihey required to 
use a different authentication mechanism for every 
service they want to access. 
The mechanism of the present invention works even if the 
service docs not know the user's pass-phrase. In a 
distributed environment with many services that wish 
to authenticate the same set of users^ it may be difiGcult, 
and undesirable, to make users' pass-phrases available 
to all services. Therefore, the service does not know the 
user's pass-phrase and it does not learn the user's 
pass-phrase during the authentication process. 
The mechanism of the present invention may be used in 
the traditional case where the service knows the user's 
pass-phrase. There is no need to use a different mecha- 
nism in that case. 
Increasingly, businesses and other private and commercial 
entities wish to make their services and resources available 
to computer users throughout the world. In many instances, 
these entities would like to make their services and resources 
available through the WWW/1 nteraet or other existing 
world-wide network so that they may be located easily and 
once located, may be accessed easily. However, users and 
services will be reluctant to communicate with one another 
unless each knows who or what is at the end of the 
connection. Remote Passphrase Authentication provides 
users and services with confidence regarding each other's 
identity that is needed to engage in on-line business and 
related transactions. 
What is claimed is: 

1. A system for remote pass-phrase authentication com- 
prising: 

a plurality of authentication deities; 

a plurality of services, said services adapted for commu- 
nication with said authentication deities; 

a plurality of user computers adapted for communication 
with said services; 

a selected service and a selected authentication deity, said 
selected service and selected authentication deity trans- 
mitted from one of said plurality of user computers to 
said selected service; 

a service random challenge transmitted from said selected 
service to said one of said plurality of user computers; 

a user response to said service random challenge, said 
user response transmitted from said one of said plural- 
ity of user computers to said selected service; 

a user random challenge transmitted from said one of said 
plurality of user computers to said selected service; 

a service response to said user random challenge; 

an authentication request comprising said selected 
authentication deity, a user name associated with said 
one of said plurality of user computers, a service name 
associated with said selected service, said service 
challenge, said user challenge, said service response, 
said user response, said authentication request trans- 
mitted from said selected service to said selected 
authentication deity; and 

an authentication response transmitted from said selected 
authentication deity to said selected service, said 
authentication response based on said authentication 
request, a pass-phrase associated with said one of said 
plurality of user computers, and a pass-phrase for said 
selected service. 

2. The system of claim 1 wherein said authentication 
response comprises an authentication proof for said one of 
said plurality of user computers. 
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3. The system of claim 1 wherein said aulhenticalion 
response comprises an authentication proof for said selected 
service. 

4. The system of claim 1 wherein said authentication 
response includes one or more of the group consisting of 
afiSrmative responses, negative responses, do service 
responses, invalid service responses, and problem responses. 

5. The system of claim 1 fiirtber comprising a session key 
for said use by said one of said plurality of user computers 
and said selected service. 

6. The system of claim 5 wherein said session key is used 
for encryption. 

7- The system of claim 5 wherein said session key is used 
for a reauthentication process. 

8. A method of authentication, said method comprising 
the steps of 

(a) assigning a first identifier and a first pass-phrase to a 
first entity, said first identifier and said first pass-phrase 
associated with a realm; 

(b) assigning a second identifier and a second pass-phrase 
to a second entity, said second identifier and said 
second pass-phrase associated with said reakn; 

(c) storing said first identifier, said first pass- phrase, said 
second identifier, and said second pass-phrase at an 
authentication entity; 

(d) requesting access to said second entity, said request 
initiated by said first entity and including said first 
identifier; 

(e) transmitting a first challenge from said second entity 
to said first entity; 

(f) transmitting a second challenge from said first entity to 
said second entity; 

(g) calculating a first response involving said realm, first 
identifier, said first pass- phrase, said first challenge, 
said second identifier, and said second challenge, said 
first response calculated by said first entity; 

(h) calculating a second response involving said realm, 
said second identifier, said second pass-phrase, said 
second challenge, said first identifier, and said first 
challenge, said second response calculated by said 
second entity; 

(i) transmitting said first response to said second entity; 
(j) transmitting said realm, said first identifier, said first 

challenge, said first response, said second identifier, 
said second challenge, and said second response to said 
authentication entity; 
(k) verifying said first response, said verification involv- 
ing said realm, said first identifier, said first pass- 
phrase, said first challenge, said first response, said 
second identifier, and said second challenge, and said 
verification performed by said authentication entity; 
and 

(1) verifying said second response, said verification 
involving said realm, said first identifier, said first 
challenge, said second identifier, said second pass- 
phrase, and said second challenge, and said verification 
performed by said authentication entity. 
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9. A method of authentication, said method comprising 
the steps of: 

(a) assigning a first identifier and a first pass-phrase to a 
first entity, said first identifier and said first pass-phrase 

^ associated with a realm; 

(b) assigning a second identifier and a second pass-phrase 
to a second entity, said second identifier and said 
second pass-phrase associated with said realm; 

10 (c) storing said first identifier, said first pass-phrase, said 
second identifier, and said second pass-phrase at an 
authentication entity; 

(d) transmitting a first cfaallcDgc &om said second entity 
to said first entity; 

15 

(e) transmitting a second challenge firom said first entity 
to said second entity; 

(f) calculating a first response involving said realm, said 
first identifier, said first pass-phrase, said first 

20 challenge, said second identifier, and said second 
diallcnge, said first response calculated by said first 
entity; 

(g) calculating a second response involving said realm, 
said second identifier, said second pass-phrase, said 
second challenge, said first identifier, and said first 
challenge, said second response calculated by said 
second entity; 

(h) transmitting said first response to said second entity; 
30 (i) transmitting said realm, said first identifier, said first 

challenge, said first response, said second identifier, 
said second challenge, and said second response to said 
authentication entity; 
(j) verifying said first response, said verification involving 
said realm, said first identifier, said first pass-phrase, 
said first challenge, said first response, said second 
identifier, and said second challenge, and said verifi- 
cation performed by said authentication entity; 
40 (k) verifying said second response, said verification 
involving said realm, said first identifier, said first 
challenge, said second identifier, said second pass- 
phrase, and said second challenge, and said verification 
performed by said authentication entity; 
45 (1) generating a session key for said first entity and said 
second entity, said session key generated by said 
authentication entity; 
(m) obscuring said session key for said first entity, said 
obscuring involving said realm, said first identifier, said 
first pass-phrase, said first challenge, said second 
identifier, and said second challenge, and performed by 
said authentication entity; 
(n) obscuring said session key for said second entity, said 
obscuring involving said realm, said first identifier, said 
first challenge, said second identifier, said second pass- 
phrase, and said second challenge, and performed by 
said authentication entity. 
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